A IA já consegue hackear sozinha?

Ainda não “sozinha”. O caso relatado pelo Google mostra a IA como alavanca: ela acelerou a descoberta e a criação do exploit por um grupo humano, não substituiu o atacante. O próprio Google diz que a IA acelera fluxos de trabalho que já existiam, em vez de inventar técnicas novas. O efeito prático é velocidade — a janela entre uma falha aparecer e ser explorada encolheu.

O que eu faço para proteger meu site?

O básico, com mais urgência: mantenha tudo atualizado (a porta nº 1 segue sendo plugin/tema/CMS desatualizado), use defesa em camadas (2FA ajuda, mas não é mágica — este ataque foi justamente um bypass de 2FA), monitore acessos e tenha um inventário do que precisa de correção. Quanto menor a janela de patch, menos a velocidade da IA te alcança.

News June 17, 2026 5 min read 228

Google detected the first AI-created zero-day used in a real attack — what changes for website owners

Google Threat Intelligence reported something unprecedented: a group used AI to find and exploit a zero-day in SQLite in a real attack. The AI wasn't the attacker — it was the accelerator. The window between a vulnerability appearing and being exploited just got shorter. What does this mean in practice?

There's a line we used to repeat in security as a hypothesis: “one day AI will write exploits on its own.” Well — it left the hypothesis stage. In May, Google reported (with the story confirmed by Bloomberg) the first known case of a zero-day built with AI help and used in a real attack.

What happened

According to Google's Threat Intelligence Group (GTIG), a financially motivated cybercrime group used a frontier AI model to develop a working exploit — a two-factor authentication (2FA) bypass in a popular open-source web admin tool. The plan was a “mass exploitation event”: hitting many targets at once. It was stopped in time — Google says its “proactive counter-discovery” may have prevented the use.

Two details matter: Google does not believe Gemini was used, but it has high confidence an AI model supported the discovery and weaponization of the flaw. And their sober read: AI is accelerating attack workflows that already existed — not inventing new techniques. State actors (China, North Korea) are watching this closely too.

Why this changes the game if you run a site

Defense didn't change in nature — it changed clock speed. The cycle “a flaw is disclosed → someone writes the exploit → the attack hits the internet” always had a window. With AI in the attacker's hands, that window shrank. What used to take weeks can take days or hours.

And note the target: a 2FA bypass. That “I turned on 2FA, I'm safe” feeling is exactly what falls first. 2FA is a great layer — it's not a magic shield.

What to do (no panic, with method)

Shorten your patch window. Door #1 is still outdated software. If you update “whenever,” that now costs more. Keep an inventory of what runs on your site and a cadence for updates.
Defense in depth. 2FA + strong password + WAF + least privilege + tested backups. When one layer falls (as 2FA did here), the others hold.
Monitor. Most automated attacks are noisy — spikes of login attempts, weird requests. Whoever looks, notices.
Use AI on your side too. The same leverage that helps the attacker helps the defense: log triage, code review, dependency scanning. Google stopped this attack partly with defensive AI.

If you run a site, it's worth reviewing the website security guide — it covers the basics that hold off 90% of automated attacks. And to not lose track of “what needs patching,” that's exactly the problem VulnGuard solves.

See the vulnerability-management demo

FAQ

Can AI hack on its own yet? Not yet — the case shows AI as leverage (it sped up a human group), not an autonomous attacker. Google itself says it accelerates existing workflows, not invents techniques. The effect is speed: the exploitation window shrank.
What do I do? The basics, with urgency: keep everything updated, defense in depth (2FA isn't magic — a 2FA bypass fell here), monitor, and keep an inventory of what needs patching.

Sources: Bloomberg, SecurityWeek, IT Pro (Google Threat Intelligence Group, May 2026).

What happened

Why this changes the game if you run a site

What to do (no panic, with method)

FAQ

Keep reading

North Korean hackers poisoned 140+ npm packages of an AI framework — the Mastra attack and what it teaches

How to prevent form spam without CAPTCHA (Honeypot and Time-trap)

How to know if your password is truly strong (the math that 'password tips' ignore)